Security and compliance challenges hinder innovation, finds CloudBees

Prakash Sethuraman, Chief Information Security Officer at CloudBees

CloudBees, the software delivery platform for enterprises, released its annual CloudBees Global C-Suite Security Survey report that finds security and compliance challenges are a significant barrier to most firms’ innovation strategies. It also reveals agreement among C-suite executives that a shift left security strategy is a burden on development teams.

What were the findings of the survey?

Three quarters of C-suite executives say that compliance challenges (76%) and security challenges (75%) limit their firm’s ability to innovate. This is due, in part, to the significant time spent on compliance audits, risks and defects. At the same time, C-suite executives favor a shift left approach, a strategy of moving software testing and evaluation to earlier in the development lifecycle, placing the burden of compliance on development teams.

In fact, 83% say the approach is important for them as an organization, and 77% say they are currently implementing a shift left security and compliance approach. This is despite 58% of C-suite executives reporting that shift left is a burden on their developers.

The survey also revealed a drop in the confidence of software supply chain security and compliance, as well as a greater focus in this area. In 2022, 88% of executives say their software supply chain is secure or very secure, down from 95% in 2021.

Additionally, 33% note their software supply chain to be completely compliant – a decrease of 19% from the previous year. Further, among the C-suite, 86% are focusing more on compliance now than two years ago, and 82% express more concern about attacks.

Additional insights

The survey also finds:

  • Regional differences regarding confidence in compliance and security. The survey finds U.S. C-suite executives think the most about security and compliance, yet those in Spain and the U.K. spend the most time on compliance. German executives demonstrate the lowest level of confidence among executives surveyed with 23% saying their software supply chain is not secure.
  • When given the choice between speed and security, security wins. More than three quarters of C-suite executives say it is more important to be secure and compliant than fast and compliant.
  • C-suite executives have confidence in their teams. Nine in ten C-suite executives say their risk management team has the tools, knowledge and expertise to build and/or maintain a secure software supply chain.
  • Automation is helpful, but not available for all. Only 22% of C-suite executives say their software delivery supply chain is completely automated and 37% say it is close to being automated. Similarly, 22% say their compliance process is completely automated and 35% say it is almost completely automated.
  • When it comes to tools, it’s a mixed bag. Three in five (59%) executives say they have all, or mostly all, external tools for security and compliance issues, and 29% say they have a mix of internal and external tools. Only 11% use mostly internal tools.

What were the executive’s thoughts on the survey?

“These findings underscore the need to transform the software security and compliance landscape. As DevOps matures, security and compliance have taken center stage as a source of significant friction,” said Prakash Sethuraman, chief information security officer, CloudBees.

“While shift left is a popular talking point, it is not yielding the desired results. Instead, it is further burdening development teams and taking their attention away from value-added work. What’s needed is a new mindset and a fresh approach, one in which security and compliance are continuous and actually speed innovation,” Sethuraman further added.

The CloudBees Global C-Suite Security Survey polled 600 C-suite executives from companies with at least 250 employees in the U.S., the UK, Australia, France, Germany, and Spain.